ubuntu-appstore-developers team mailing list archive
-
ubuntu-appstore-developers team
-
Mailing list archive
-
Message #00823
Re: Minimizing icon and screenshot transfer size
Because of security risk devportal currently allows uploading of SVG icons,
but renders them on the server and only saves resulting PNG, which is later
served to clients.
Cheers
On 22 April 2014 23:51, Ted Gould <ted@xxxxxxxxxx> wrote:
> On Tue, 2014-04-22 at 13:31 -0400, Rodney Dawes wrote:
>
> On Tue, 2014-04-22 at 17:59 +0200, Jonas Drange wrote:> On Tue, Apr 22, 2014 at 5:43 PM, Rodney Dawes> <rodney.dawes@xxxxxxxxxxxxx> wrote:> My suggestion wasn't to replace all the PNGs with SVGs. In> some cases> that's just not feasible, because the images were drawn with> raster> editors anyway. But making SVG an option on upload, will let> people who> want to use it, use it, and can certainly help reduce file> size for> transferring the icon. I'd certainly want to be able to use it> for any> apps I were to make.> > > Aren't user uploaded SVGs a potential security risk? Is it possible to> completely sanitize an SVG document?
>
> How so? Sure it's possible to sanitize it. But I don't see how it's any
> more of a security risk than someone uploading a PNG or JPEG that
> exploits a problem in libpng or libjpeg.
>
>
> Because of embedded Javascript. Mostly if you ignore the script tag (or
> don't implement it) you're in good shape. But the JS could be rendering the
> graphic in some cases. (i.e. and icon that changed with the phase of the
> moon).
>
> http://commons.wikimedia.org/wiki/Help:SVG
>
> For the most part as long as we render to a bitmap with a confined
> converter things work well, or run through a sanitizer in the same
> conditions.
>
> Ted
>
>
> --
> Mailing list: https://launchpad.net/~ubuntu-appstore-developers
> Post to : ubuntu-appstore-developers@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~ubuntu-appstore-developers
> More help : https://help.launchpad.net/ListHelp
>
>
Follow ups
References